UNPKG

@pulumi/aws

Version:

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.

pulumi.io

pulumi/pulumi-aws

223 lines (222 loc) • 9.59 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Provides a resource to manage a default security group. This resource can manage the default security group of the default or a non-default VPC. * * > **NOTE:** This is an advanced resource with special caveats. Please read this document in its entirety before using this resource. The `aws.ec2.DefaultSecurityGroup` resource behaves differently from normal resources. This provider does not _create_ this resource but instead attempts to "adopt" it into management. * * When the provider first begins managing the default security group, it **immediately removes all ingress and egress rules in the Security Group**. It then creates any rules specified in the configuration. This way only the rules specified in the configuration are created. * * This resource treats its inline rules as absolute; only the rules defined inline are created, and any additions/removals external to this resource will result in diff shown. For these reasons, this resource is incompatible with the `aws.ec2.SecurityGroupRule` resource. * * For more information about default security groups, see the AWS documentation on [Default Security Groups][aws-default-security-groups]. To manage normal security groups, see the `aws.ec2.SecurityGroup` resource. * * ## Example Usage * * The following config gives the default security group the same rules that AWS provides by default but under management by this provider. This means that any ingress or egress rules added or changed will be detected as drift. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const mainvpc = new aws.ec2.Vpc("mainvpc", {cidrBlock: "10.1.0.0/16"}); * const _default = new aws.ec2.DefaultSecurityGroup("default", { * vpcId: mainvpc.id, * ingress: [{ * protocol: "-1", * self: true, * fromPort: 0, * toPort: 0, * }], * egress: [{ * fromPort: 0, * toPort: 0, * protocol: "-1", * cidrBlocks: ["0.0.0.0/0"], * }], * }); * ``` * * ### Example Config To Deny All Egress Traffic, Allowing Ingress * * The following denies all Egress traffic by omitting any `egress` rules, while including the default `ingress` rule to allow all traffic. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const mainvpc = new aws.ec2.Vpc("mainvpc", {cidrBlock: "10.1.0.0/16"}); * const _default = new aws.ec2.DefaultSecurityGroup("default", { * vpcId: mainvpc.id, * ingress: [{ * protocol: "-1", * self: true, * fromPort: 0, * toPort: 0, * }], * }); * ``` * * ### Removing `aws.ec2.DefaultSecurityGroup` From Your Configuration * * Removing this resource from your configuration will remove it from your statefile and management, but will not destroy the Security Group. All ingress or egress rules will be left as they are at the time of removal. You can resume managing them via the AWS Console. * * ## Import * * Using `pulumi import`, import Security Groups using the security group `id`. For example: * * ```sh * $ pulumi import aws:ec2/defaultSecurityGroup:DefaultSecurityGroup default_sg sg-903004f8 * ``` */ export declare class DefaultSecurityGroup extends pulumi.CustomResource { /** * Get an existing DefaultSecurityGroup resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: DefaultSecurityGroupState, opts?: pulumi.CustomResourceOptions): DefaultSecurityGroup; /** * Returns true if the given object is an instance of DefaultSecurityGroup. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is DefaultSecurityGroup; /** * ARN of the security group. */ readonly arn: pulumi.Output<string>; /** * Description of the security group. */ readonly description: pulumi.Output<string>; /** * Configuration block. Detailed below. */ readonly egress: pulumi.Output<outputs.ec2.DefaultSecurityGroupEgress[]>; /** * Configuration block. Detailed below. */ readonly ingress: pulumi.Output<outputs.ec2.DefaultSecurityGroupIngress[]>; /** * Name of the security group. */ readonly name: pulumi.Output<string>; readonly namePrefix: pulumi.Output<string>; /** * Owner ID. */ readonly ownerId: pulumi.Output<string>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ readonly region: pulumi.Output<string>; readonly revokeRulesOnDelete: pulumi.Output<boolean | undefined>; /** * Map of tags to assign to the resource. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block. */ readonly tagsAll: pulumi.Output<{ [key: string]: string; }>; /** * VPC ID. **Note that changing the `vpcId` will _not_ restore any default security group rules that were modified, added, or removed.** It will be left in its current state. */ readonly vpcId: pulumi.Output<string>; /** * Create a DefaultSecurityGroup resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args?: DefaultSecurityGroupArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering DefaultSecurityGroup resources. */ export interface DefaultSecurityGroupState { /** * ARN of the security group. */ arn?: pulumi.Input<string>; /** * Description of the security group. */ description?: pulumi.Input<string>; /** * Configuration block. Detailed below. */ egress?: pulumi.Input<pulumi.Input<inputs.ec2.DefaultSecurityGroupEgress>[]>; /** * Configuration block. Detailed below. */ ingress?: pulumi.Input<pulumi.Input<inputs.ec2.DefaultSecurityGroupIngress>[]>; /** * Name of the security group. */ name?: pulumi.Input<string>; namePrefix?: pulumi.Input<string>; /** * Owner ID. */ ownerId?: pulumi.Input<string>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ region?: pulumi.Input<string>; revokeRulesOnDelete?: pulumi.Input<boolean>; /** * Map of tags to assign to the resource. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block. */ tagsAll?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * VPC ID. **Note that changing the `vpcId` will _not_ restore any default security group rules that were modified, added, or removed.** It will be left in its current state. */ vpcId?: pulumi.Input<string>; } /** * The set of arguments for constructing a DefaultSecurityGroup resource. */ export interface DefaultSecurityGroupArgs { /** * Configuration block. Detailed below. */ egress?: pulumi.Input<pulumi.Input<inputs.ec2.DefaultSecurityGroupEgress>[]>; /** * Configuration block. Detailed below. */ ingress?: pulumi.Input<pulumi.Input<inputs.ec2.DefaultSecurityGroupIngress>[]>; /** * Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the provider configuration. */ region?: pulumi.Input<string>; revokeRulesOnDelete?: pulumi.Input<boolean>; /** * Map of tags to assign to the resource. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * VPC ID. **Note that changing the `vpcId` will _not_ restore any default security group rules that were modified, added, or removed.** It will be left in its current state. */ vpcId?: pulumi.Input<string>; }